From your description, it looks like XSSSanitize also escapes all HTML characters. According to Google, you can undo this by creating a Java action with a String input and String output and the following code:
return StringEscapeUtils.unescapeHtml4(input);
Be sure to add an import: import org.apache.commons.lang3.StringEscapeUtils;
Note1: I haven't actually tested this.
Note2: You should ensure that unescaping the HTML does not leave you vulnerable. XSSSanitize is controlled by policy files found in /projectfolder/resources/communitycommons/antisamy. You can manually edit these files to allow or disallow additional characters or elements.
Where is the string actually getting placed in your dom that it can be executed? It almost certainly is not a Mendix default widget, but rather some vulnerability in a custom widget.
For example, I've seen an XSS risk in the past on the DropDownDivConverter widget. It was using the value of an attribute directly as a label on a button. So, the fix was to escape that value before it was placed in the dom, like this: